Conventus Law

Conventus Law

by

Indonesia’s Ministry of Communication and Digital Affairs (“MOCDA”) has introduced a new regulatory framework that significantly affects Public Electronic System Providers (“Public ESPs”) in the country. 

MOCDA Regulation No. 5 of 2025, dated March 18, 2025, regarding Public ESPs (“MOCDA Reg. 5/2025”) was issued as an implementing regulation for Government Regulation No. 71 of 2019, dated October 4, 2019, regarding Electronic Systems and Transactions. This new regulation introduces mandatory compliance requirements that must be met by March 2026, with non-compliance potentially resulting in administrative sanctions, including blacklisting. 

Key Compliance Obligations

Under MOCDA Reg. 5/2025, “Public ESP” refers to an electronic system operated by a state administrative agency or institution appointed by such an agency. The regulation explicitly excludes Public ESPs that act as regulatory and supervisory authorities in the financial sector.

Under Article 3 of MOCDA Reg. 5/2025, an institution may be designated a Public ESP only if it meets the following criteria:

  1. It holds a valid registration as a Private Scope Electronic System Provider in accordance with applicable laws and regulations;
  2. It is established as an Indonesian legal entity; and
  3. It operates a data center located within the territory of the Republic of Indonesia.

The designation of a Public ESP must be formalized through a specific law or regulation. Based on this provision, private electronic system providers that are formally appointed under such legal instruments may also be classified as Public ESPs by virtue of that appointment.

Below is a summary of the key compliance obligations applicable to Public ESPs.

  1. Mandatory Registration

All existing and new Public ESPs are required to complete a new, more detailed registration process with MOCDA. This updated process mandates comprehensive disclosure of the system’s operations, infrastructure, data flows, and administrative and ownership structures. Entities that were previously registered under the prior framework must also re-register to comply with the new requirements.

Newly designated Public ESPs must complete the registration process before their electronic systems can be used or made operational. 

The registration application must include the following information:

  1. Letter of appointment (surat penugasan);
  2. Type of agency or institution;
  3. Name of the agency or institution;
  4. Name of the working unit;
  5. Telephone number of the working unit;
  6. Status of the registration officer, including designation as a Public ESP registrar;
  7. Full name of the Public ESP registration officer;
  8. Employee identification number (nomor induk pegawai or “NIP”) of the registration officer for government agencies or employee number for institutions;
  9. Official title of the registration officer;
  10. Mobile phone number of the registration officer; and
  11. Official email address of the agency or institution acting as the Public ESP.

Public ESPs must also provide a general description of the electronic system, which must include the following details:

  1. Name of the electronic system;
  2. Owner of the electronic system;
  3. Sector or domain of the electronic system;
  4. Contact information for the electronic system’s representative or point of contact;
  5. Uniform Resource Locator (URL) of the website;
  6. Domain Name System (DNS) and/or Internet Protocol (IP) address of the server;
  7. Brief description of the electronic system’s functions and business processes;
  8. Category of the electronic system based on risk assessment principles;
  9. Classified data managed by the system;
  10. Description of any personal data that is processed; and
  11. Information on the location of the management, processing, and/or storage of the electronic system and electronic data.
  1. Enhanced Data Governance Requirements

In addition to the registration requirement, Public ESPs must also fulfil the following obligations:

  1. Provide a security system that includes procedures and mechanisms for the prevention and mitigation of threats and attacks that may cause disruption, failure, or loss;
  2. Implement personal data protection measures in accordance with applicable laws and regulations; and
  3. Conduct feasibility testing of the electronic system, in line with the provisions of prevailing legislation.
  1. User-Generated Content (UGC) Controls

A UGC Public ESP refers to a Public ESP whose platform facilitates the provision, display, uploading, and/or exchange of Electronic Information and/or Electronic Documents by users of the electronic system. 

These ESPs are required to put in place technical and procedural controls to monitor and mitigate the circulation of illegal or prohibited content. This includes the following:

  1. Establish an Information and Electronic Document Governance Framework

Public ESPs are required to implement governance policies related to information and/or electronic documents. This governance must include: 

  1. The rights and obligations of system users;
  2. The rights and obligations of the Public ESP in operating the system;
  3. Accountability for the information and/or electronic documents uploaded by users; and
  4. Having mechanisms and services available to handle user complaints.
  1. Establish a Publicly Accessible Reporting Mechanism

Public ESPs must establish a reporting mechanism that is accessible to the public. This mechanism is intended for the submission of complaints and/or reports regarding prohibited information and/or electronic documents found in the system.

  1. Enforcement Powers of MOCDA on Prohibited Content


Public ESPs are required to operate their electronic systems and manage electronic information and/or documents in a reliable, secure, and accountable manner. 

In line with this obligation, Public ESPs must provide user-facing service instructions in the Indonesian language, in accordance with applicable laws and regulations. They are also required to ensure that their systems do not contain or facilitate the distribution of prohibited electronic information and/or documents. Such prohibited content includes materials that:

  1. Violate prevailing laws and regulations;
  2. Cause public unrest or disrupt public order; or
  3. Contain instructions for or provide access to other prohibited content.

Certain types of prohibited content are classified as urgent and require immediate removal. These include materials related to terrorism, child pornography, and content that significantly disrupts public order or causes widespread concern in society. 

In response to the presence of such content, the MOCDA is authorized either to directly terminate access to the content or to instruct the relevant Public ESP to do so. The MOCDA is also empowered to carry out normalization efforts, which may include restoring access once the issue has been resolved in accordance with regulatory requirements. 

Consequences of Non-Compliance

Failure to comply with MOCDA Reg. 5/2025 may result in the imposition of progressive administrative sanctions, which may include the following: 

  1. Written Warnings: Up to three written warnings may be issued, delivered via electronic mail and/or other electronic media, within a period of 7 x 24 hours (seven consecutive days).
  2. Temporary Suspension: If the Public ESP fails to respond to the third written warning within seven days, the MOCDA may temporarily suspend the electronic system.
  3. Access Blocking and Delisting: If the Public ESP does not confirm its compliance within seven days after the suspension of the electronic system, the MOCDA may:
  • Block access to the electronic system; and
  • Remove the provider from the list of registered Public ESPs.

The regulation provides a transitional period of one year from the date of its promulgation to give Public ESPs sufficient time to align with the new requirements. There will be no enforcement of administrative sanctions during this adjustment period. All Public ESPs must ensure full compliance by March 2026, after which the sanctions stipulated in MOCDA Reg. 5/2025 may be imposed.

Recommended Action Plan

We strongly encourage all affected Public ESPs to take proactive steps, including the following:

  • Internal Audit: Review existing registration status, data governance practices, and UGC handling policies.
  • Legal Review: Assess compliance gaps and legal exposure under the new regulation.
  • System & Policy Upgrades: Align internal processes with technical and procedural requirements.

Timely Re-Registration: Begin the new registration process well in advance to avoid last-minute bottlenecks.

WRITTEN BY

For further information, please contact:

Winnie Yamashita Rolindrawan – SSEK,
winnierolindrawan@ssek.com

Winnie Yamashita Rolindrawan - SSEK. Winnie Yamashita Rolindrawan holds a Bachelor of Laws in economic law from the University of Indonesia and a Master of Science in communications management. She also earned an LL.M. and a Business Law Certificate from UC Berkeley.

Winnie Yamashita Rolindrawan received her Bachelor of Laws in economic law from the University of Indonesia in 2002. In 2007, she earned her Master of Science from the Faculty of Social and Political Sciences at the same university, majoring in communications management. In 2016, Winnie received her Master of Laws (LL.M.) from the University of California, Berkeley, School of Law, where she also earned a Business Law Certificate from the Berkeley Center for Law and Business.

Winnie joined SSEK in 2007 and has represented major domestic firms and multinational companies in a variety of transactions. She has worked on numerous projects involving M&A, financial services and fintech, data privacy, pharmaceuticals and healthcare, corporate and commercial matters, foreign investment, e-commerce, and real estate and property (particularly hotels).

Her projects in the fintech sector include acting as Indonesian counsel to Didi Chuxing in the acquisition of a substantial stake in Grab Inc., a transaction valued at over US$1 billion, and acting as lead Indonesian counsel to Mastercard as the lead investor in the series B funding round of Digiasia, an Indonesian fintech startup. Winnie advises clients on all aspects of fintech and payment systems (including e-money, remittances, payment gateways and switching), from obtaining the relevant licenses to cross-border fintech M&A transactions and navigating complex regulatory, legal and commercial challenges to ensure compliance with the relevant fintech and payment system regulations of Indonesia’s Financial Services Authority (OJK) and Central Bank (Bank Indonesia).

In the healthcare sector, Winnie has represented pharmaceutical companies, including manufacturers and distributors, in providing practical solutions for their day-to-day operations, corporate and commercial contracts, and specific regulatory issues.

Prior to joining SSEK, Winnie worked at another prominent corporate law firm in Jakarta, where she was involved in various capital market transactions including IPOs, bond issues and rights issues. She helped handle several debt restructuring projects involving the Indonesian Bank Restructuring Agency (IBRA), an independent government agency established in response to the Indonesian financial crisis.

Winnie was also an associate procurement expert for an Asian Development Bank-Indonesian Ministry of National Development Planning (Bappenas) project, where she developed and drafted model national procurement documents.

Winnie is a licensed attorney and a member of the Indonesian Advocates Association (Peradi). She participated in the 2014 Academy of American and International Law, sponsored by the Southwestern Institute for International and Comparative Law in Dallas, Texas.

Having spent her childhood in Hamburg, Germany, she speaks German in addition to English and her native Indonesian.

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES